The security and stability of the Internet has always been a preeminent goal of DNS operation and
management. One issue of recent concern is an intrinsic vulnerability in the DNS which allows
malicious parties to distribute false DNS information. Under this scenario, Internet users could be
unknowingly redirected to fraudulent and deceptive websites established to collect passwords and
sensitive account information.

A technology called DNS Security Extensions (DNSSEC) has been developed to mitigate those
vulnerabilities. DNSSEC assures the validity of transmitted DNS addresses by digitally "signing"
DNS data via electronic signature. "Signing the root" (deploying DNSSEC on the root zone) is a
necessary first and critical step towards protecting against malicious attacks on the DNS.19 On
October 9, 2009, NTIA issued a Notice of Inquiry (NOI) seeking public comment on the
deployment of DNSSEC into the Internet's DNS infrastructure, including the authoritative root
zone.20 On June 3, 2009, NTIA and the National Institute of Standards and Technology (NIST)
announced they will work with ICANN and VeriSign to develop an interim approach for
deploying DNSSEC in the root zone by the end of 2009.21

Meanwhile, section 8 of S. 773, the Cybersecurity Act of 2009, would require that any renewals
or modifications made to DOC contracts regarding the operation of IANA be subject to review by
a Cybersecurity Advisory Panel. S. 773 would also require NTIA to "develop a strategy to
implement a secure domain name addressing system."

Because DNS data is meant to be public, preserving the confidentiality of DNS data pertaining to publicly accessible IT resources is not a security objective. The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit. Availability of DNS services and data is also very important; DNS components are often subjected to denial of service attacks intended to disrupt access to the resources whose domain names are handled by the attacked DNS components.

DNS is susceptible to the same types of vulnerabilities (platform, software, and network-level) as any other distributed computing system. However, because it is an infrastructure system for the global Internet, it has the following special characteristics not found in many distributed computing systems:

No well-defined system boundaries?participating entities are not subject to geographic or topologic confinement rules

No need for data confidentiality?the data should be accessible to any entity regardless of the entity?s location or affiliation.

Because of these characteristics, conventional network-level attacks such as masquerading and message tampering, as well as violations of the integrity of the hosted and disseminated data, have a completely different set of functional impacts, as follows:

A masquerader that spoofs the identity of a DNS node can deny access to services for the set of Internet resources for which the node provides information (i.e., domains served by the node). This denial is not only for a limited set of clients but also for the entire universe of all clients needing access to those resources.

Bogus DNS information provided by a masquerader or intruder can poison the information cache of the DNS node providing that subset of DNS information (i.e., the name server providing Internet access service to the enterprise?s users), resulting in a denial of service to the resources serviced by it.

Violation of the integrity of DNS information resident on its authoritative source or the information cache of an intermediary that has accumulated information from several historical queries may break the chained information retrieval process of DNS. This could result in either a denial of service for DNS name resolution function or misdirection of users to a harmful set of illegitimate resources.

If the name resolution data hosted by the DNS system violates content requirements as defined in DNS standards, it could have adverse impacts such as increased workload on the DNS system, or serving obsolete data that could result in denial of service to Internet resources. In most software, program data independence (as in conventional database management systems [DBMS]) provides a degree of buffer against adverse impacts due to erroneous data. In the case of DNS, the data content determines the integrity of the entire system.

Based on these functional impacts, the deployment guidelines for secure DNS presented by NIST consist of the following generic and DNS-specific recommendations:

Implement appropriate system and network security controls for securing the DNS hosting environment, such as operating system and application patching, process isolation, and network fault tolerance.

Protect DNS transactions such as update of DNS name resolution data and data replication that involve DNS nodes within an enterprises control. The transactions should be protected using hash-based message authentication codes based on shared secrets, as outlined in the Internet Engineering Task Force's (IETF) Transaction Signature (TSIG) specification.

Protect the ubiquitous DNS query/response transaction that could involve any DNS node in the global Internet using digital signatures based on asymmetric cryptography, as outlined in IETF's Domain Name System Security Extensions (DNSSEC) specification.

Enforce content control of DNS name resolution data using a set of integrity constraints that are able to provide the right balance between performance and integrity of the DNS system.

(ii) Secure the Domain Name System. DNS serves as the central database that helps route information throughout the Internet. The ability to route information can be disrupted when the databases cannot be accessed or updated or when they have been corrupted. Attackers can disrupt the DNS by flooding the system with information or requests or by gaining access to the system and corrupting or destroying the information that it contains. The October 21, 2002 attacks on the core DNS root servers revealed a vulnerability of the Internet by degrading or disrupting some of the 13 root servers necessary for the DNS to function. The occurrence of this attack punctuates the urgent need for expeditious action to make such attacks more difficult and less effective. - U.S. National Strategy to Secure Cyberspace , February 2003 p. 30

DNSSEC

DNS Security (DNSSEC) refers to the addition of data authentication and integrity protection to the DNS protocol. This is accomplished by the inclusion of public keys and the use of digital signatures to DNS information.

D. Atkins, R. Austein, IETF RFC 3833, Threat Analysis of the Domain Name System (DNS) (Aug 2004) ("This note attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent (if any) DNSSEC is a useful tool in defending against these threats.")

"NTIA is committed to preserving the security and stability of the DNS," Acting NTIA Administrator Meredith Attwell Baker said. "In light of existing and emerging threats to the Internet DNS, the time is ripe to consider solutions such as DNSSEC. As we consider deploying this technology in the root zone, it is critical that we get feedback from all the interested stakeholders."

Background

The DNS is a critical component of the Internet infrastructure, which is used by almost every application to associate domain names with the Web addresses required to deliver information on the Internet. The accuracy, integrity, and availability of the information supplied by the DNS are essential to the operation of any system or service that uses the Internet.

Over the years, a number of vulnerabilities have been identified in the DNS protocol that threaten the accuracy and integrity of the DNS data and undermine the trustworthiness of the system. In particular, due to technical advances, vulnerabilities in the existing DNS have recently become easier to exploit. Malicious parties may use these vulnerabilities to distribute false DNS information, and to improperly re-direct Internet users.

DNSSEC was developed to mitigate these vulnerabilities. Accordingly, the Department is exploring the deployment of DNSSEC at the top level of the DNS hierarchy, known as the root zone.

NTIA is responsible for the development of the domestic and international telecommunications policy of the Executive Branch.